RE: IDS, IPS or just rubbish

["Fergus Brooks" <fergusb () evolve-online com>]

I too attended a partner event - unfortunately I only got to see the
sales briefing and not the technical one. I left generally confused, but
it did seem to me that they were talking about releasing new "patterns"
for "pattern matching" via the web which the fw admin could add through
a manual edit.

If they have also built in some protocol decoding and anomaly detection
then it sounds a lot like an IDS to me. Add to it the ability to block
traffic at the enforcement module interface then it sounds like an IPS.
I could imaging a lot of clients would go for this if it is an add-on
for their existing implemented investment.

But from what your saying James it falls down in correlation? Also you
hinted that it may not be easy to install?

Can you tell me if it has the ability to send alerts out via
LEA/ELA/OPSEC? 

And - for some levity - if Checkpoint releasing NG led Stonesoft to
release Stonegate, I wonder what ISS' new firewall will be called?
RealFirewall? (comes with your media player...) ReallySecure Firewall?
(sounds Australian....)


-----Original Message-----
From: James Cutter [mailto:JamesCutter () thedoghousemail com] 
Sent: Wednesday, 25 June 2003 6:19 PM
To: focus-ids () securityfocus com
Subject: RE: IDS, IPS or just rubbish


I was in one of their partner events as well. It looks to me like you
misunderstood their point. 

They do not have many signatures. In fact, they do not claim to be a
signature based company. They do claim to provide protection by
understanding the protocols and applications. 
How many firewalls you know that understand HTTP1.1 (really understand,
including the ability to catch different http requests on the same
connection, chunks, retransmissions etc) How many firewalls are able to
protect in day zero against double http header attacks, webDAV attacks
etc.

Even with the signatures that they do have, they perform aggressive
matching against different encoding and regular expression matching.
Adding the fact that they do IP fragments checks for all IP traffic (and
not only port 80) and reassemble TCP streams - i think that they can be
called intelligent. (and according to their claims, most of the work is
done in the kernel, with expected of 3% performance lost. Even if I
don't take this as they claim, it is better than any system I know.
Believe me, I know. ) 

I do think that they need to improve their configuration and
documentation. Right now, fools can not use their systems (without using
us, the system integrators). It is too difficult. One should define
resources set different properties and so on. For the first time in
several years, i think that my customers understand why checkpoint
claims to be superior. All I need to do is demonstrate HTTP 1.1
penetration with other firewall systems. 

If I understand their vision, they are going further with non-signature
policy

BTW, my customers are using their SQL Inspect fixes. They were able to
operate while the worm was hitting them. How many other vendors offer
this ? 

I recommend my customers to keep using IDS. I think that there is a need
for event correlation technology . again, checkpoint is not a signature
company.


Jack Ryan said: 
I went to the local product launch of Checkpoint FW-1 Next Generation
*Artificial Intelligence* the other day and was interested to see that
this technology is nothing more than a signature-based IDS that can pass
stuff on to the firewall. Funnily enough they call it "Active Defense"
which is the same name NAI used to describe Cybercop talking to Gauntlet
before they dropped/sold the products.

Checkpoint are pushing this patch to NG FP3 FW-1 as an all-in-one
solution whereby you wouldn't need an IDS as well as a firewall. In Hong
Kong they have over 70% of the firewall market - their market
penetration is similar worldwide - in order to gain competitive
advantage they are trying to crush the IDS/IPS market. Maybe they've
been partying with Gartner.

What's more they are lying through their teeth. I sat there and listened
to them pull out terms like zero-day and protocol anomaly detection
which is simply them jumping on the bandwagon of quality solutions. It
is signature-based, and though Checkpoint will apparently notify you of
any new threats you will still need to edit a text file so that the
firewall knows what they are.

Their big push is that they are doing application-layer stuff now which
anyone who knows firewalls will know is what Sidewinder, Gauntlet and
Axent (Symantec) have been doing for years. FW-1 is a stateful packet
filter - and probably the best there is in terms of enterprise
management. However they are not analysing traffic at the application
layer asides from a handful of signatures. They were saying that FW-1 NG
AI is the only gateway solution of its kind. Symantec have had
signature-based IDS combined with the *real* layer 7 Raptor firewall in
their SGS box for ages. (performance aside.........) 

They kept telling me about SQL Slammer and how this solution will stop
it. What utter crap. Can anyone on this list tell me of a
signature-based IDS which picked Slammer up in the 2-odd hours it needed
to propogate? 

There has been a lot of discussion here about the future of IDS - I
think I've seen Checkpoint's vision....... Treat us all like fools. 

Zero-day detection my ****. 




_____________________________________________________________
Get your FREE TheDoghouseMail email address at
http://www.thedoghousemail.com

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com,
No Ads, 6MB, IMAP, POP, SMTP & more!
http://www.everyone.net/selectmail?campaign=tag

------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------



_____________________________________________________________
Get your FREE TheDoghouseMail email address at
http://www.thedoghousemail.com

_____________________________________________________________
Select your own custom email address for FREE! Get you () yourchoice com,
No Ads, 6MB, IMAP, POP, SMTP & more!
http://www.everyone.net/selectmail?campaign=tag

------------------------------------------------------------------------
-------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas,
the 
world's premier technical IT security event! 10 tracks, 15 training
sessions, 
1,800 delegates from 30 nations including all of the top experts, from
CSO's to 
"underground" security specialists.  See for yourself what the buzz is
about!  
Early-bird registration ends July 3.  This event will sell out.
www.blackhat.com
------------------------------------------------------------------------
-------

--
This message has been scanned by AVMail.



-------------------------------------------------------------------------------
Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the 
world's premier technical IT security event! 10 tracks, 15 training sessions, 
1,800 delegates from 30 nations including all of the top experts, from CSO's to 
"underground" security specialists.  See for yourself what the buzz is about!  
Early-bird registration ends July 3.  This event will sell out. www.blackhat.com
-------------------------------------------------------------------------------